We’re about to make your WordPress installation dramatically more secure with by doing seven simple things to your blog. Hopefully everybody’s already done them and will just use this as a free checklist.
Secure your wp-config.php file
Of all the files on your WordPress installation, the wp-config.php is likely your most important because it contains the password and username for your database. So how do we make it safer? How about by moving it outside your public website? Simply log into your website using an FTP client and move the wp-config.php file up a level so that it’s no longer on your website.
Why does it work? WordPress looks for the wp-config.php file in the root of your website but if it can’t locate it, the software will automatically look one level up. Luckily, it’s a protected directory so hackers will struggle to read it.
Protect your WordPress account from brute force attacks
The most important part of securing WordPress is to look at your login. If you’re using the admin account, you’re doing it wrong. I can not stress this enough. Almost as importantly, if your password is not secure, you’re doing it wrong.
There are a lot of theories about your password, I’m not a supporter of random strings of gibberish because I think they’re too hard for users to remember. Instead, I think passwords should be memorable to people, complicated to computers. For example, you could choose a complex password to remember such as !n039cCA which would be fairly easy for a brute force attack to guess eventually or an easy to remember but hard to guess password such as 3Beansareawonderfulfruit. If you really want to make life hard for hackers, mix it up with misspellings. Here are some easy, but creative password ideas:
- 1fish2fish3fishwhofish
- Usmelllikechicken2day
- IwonderwhereIparkedat9am
- YRUstillsingleat40?
Protect your vital directories
Use your robot.txt and .htaccess files to protect directories on your host. This will stop (or at least slow down) hackers from accessing pathways. .Net has a great piece on using your .htaccess file for security. Also consider using an apache level password file to secure your /wp-admin/ directory. Many hosts such as Bluehost have a control panel that allows you to add a password to your admin directory without knowing any server level commands.
Hotfix your WordPress installation
WordPress isn’t immune to hackers but lucky there are almost as many people dedicated to keeping in safe as their are trying to hack into it. I won’t give the lecture about keeping your site updated, because it’s just common sense that everybody should be keeping their WordPress installation updated at each major release but I will say that if you’re not running the WordPress Hotfix plugin, you’re leaving your website open to assault. It would be like leaving your car unlocked in a Sabre’s game, and nobody would do that. Which segues nicely into my next point …
Trust your plugin developers with your website, or don’t use them at all
The team at WordPress.org do a great job trying to police plugins but remember that a plugin is unique piece of code written by a developer outside of the WordPress framework. Plugins can do anything to your website, from change your password to delete your database. If you don’t trust a plugin author, don’t install a plugin .. it’s that simple.
So, can you trust the WordPress Hotfix plugin? I think so, it’s authored by Andew Nacin and Mark Jaquith. They’re two of the most active members of the WordPress development team so if you’re already running their code.
Stay Informed
If you’re not capable of following all the WordPress news regularly, at least take the time to follow a little bit of it. Setup a Google News feed for WordPress security, follow the core developers on Twitter, subscribe to a security feed like Sucuri, or hire a consultant who can monitor all for you.
Backup Regularly!
We all hope that a hacker will never get into your site but if they do, you need to be able to recover quickly and that’s where a good backup comes in handy. Doing daily backups of WordPress will give a quick (and easy) way to roll back your website if anything goes wrong.
In accordance with the FTC Endorsements and Testimonials in Advertising, please note that this post includes reviews or links to affiliate programs. The reviews provided in this post are unbiased and presented a fair manner. This post does not include misleading or paid reviews.